b'                                          U.S. SMAll BUSINESS ADMINISTRATION \n\n                                               OFFICE OF INSPECfOR GENERAL \n\n                                                WASHINGTON, D.C. 20416 \n\n\n\n\n\n                                                                      TRANSMITTAL MEMORANDUM\n                                                                                 Report No. 12-02\n\n\n\nDATE:             NOVEMBER 14, 2011\n\n\nTo:\n\n\nFROM:\n                 JONATHAN I. CARVER\n                 Chief Financial OffiCn\n\n                 JOHN K. NEEDHAM      Lv\n                                         L\xc2\xb7\n                                          I)\n                 Assistant Inspect    General for Auditing\n\nSUBJECf:          Irrdeperrdent Au \xc2\xb7to\xc2\xb7\' Report on the SBA\'s FY 2011 Financial Statements\n\nWe contracted with the independent public accounting firm, KPMG LlP, to audit the U.S. Small\nBusiness Administration\'s consolidated financial statements as of September 30, 2011, and for\nthe years then ended. The contract required that the audits be conducted in accordance with\nGenerally Accepted Government Auditinll Standards; the Office of Management and Budget\nBulletin No. 07-04, Audit Requirements for Federal Financial Statements, as amended; and the\nU.5. Government Accountability Office\'s Financial Audit Manual and Federal Information\nSystem Controls Audit Manual. This audit is an annual requirement ofthe Chief Financial\nOfficersAct of 1990.\n\nThe results of KPMG lLP\'s audits are presented in the attached report. The report includes an\nopinion on SBA\'s financial statements, internal control over financial reporting, and compliance\nand other matters that have a direct and material effect on the financial statements. KPMG\nLLP issued an unqualified opinion on SBA\'s fiscal year 2011 consolidated financial statements.\nIn summary, KPMG LLP found that:\n\n      \xe2\x80\xa2 \t The financial statements were fairly presented, in all material aspects, in conformity\n           with U.S. generally accepted accounting principles.\n      .. There were no material weaknesses in internal control.\n      \xe2\x80\xa2 . There is a significant deficiency related to SBA\'s information technology security\n           controls, which is a repeat condition.\n      ". \t There is one instance of noncompliance with laws and regulations related to. the Debt\n           Collection Improvement Act of 1996, which is also a repeat condition.\n\nThe report also includes one other matter related to possible violations of the Federal\nAcquisition Regulation\'s documentation retention requirements. Details regarding the\nauditor\'s conclusions are included in the Compliance and Other Matters Section of the\nIndependent Auditors\' Report. Within 30 days of this report, KPMG expects to issue a separate\nletter to management regarding other less significant matters that came to its attention during\nthe audit.\n\x0cWe reviewed a copy of KPMG LLP\'s report and related documentation and made necessary\ninquiries of their respective representatives. Our review was not intended to enable us to\nexpress, and we do not express, an opinion on the SBA\'s financial statements, KPMG LLP\'s\nconclusions about the effectiveness of internal control, or its conclusions about SBA\'s\ncompliance with laws and regulations. However, our review disclosed no instances where\nKPMG LLP did not comply, in all material respects, with Generally Accepted Government\nAuditing Standards.\n\nWe provided a draft of KPMG LLP\'s report to SBA\'s Chief Financial Officer who concurred with\nits findings and recommendations and agreed to implement the recommendations. The Chief\nFinancial Officer\'s comments are attached as Exhibit IV to this report.\n\nWe appreciate the coopenition and assistance of the SBA and KPMG LLP. Should you or your\nstaff have any questions, please contact me at (202) 205\xc2\xb77390 or Jeffrey R. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205\xc2\xb77490.\n\nAttachment\n\n\n\n\n                                               2\n\n\x0c                               KPMG LLP\n                               2001 M Street. NW\n                               Washington, DC 20036~3389\n\n\n\n\n                                        Independent Auditors\' Report\n\n\nOffice of Inspector General,\nU.S. Small Business Administration:\n\nWe have audited the accompanying consolidated balance sheets ofthe U.S. Small Business Administration\n(SBA) as of September 30, 2011 and 2010, and the related consolidated statements of net cost and changes\nin net position, and combined. statements of budgetary resources (hereinafter referred to as "consolidated\nfinancial statements") for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our Fiscal Year (FY)\n2011 audit, we also considered the SBA\'s internal control over financial reporting and tested the SBA\'s\ncompliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that\ncould have a direct and material effect on these consolidated financial statements.\n\nSummary\nAs stated in our 0pJl1IOn on the consolidated financial statements, we concluded that the SBA\'s\nconsolidated financial statements as of and for the years ended September 30,2011 and 2010, are presented\nfairly, in all material respects, in conformity with U.S. generally accepted accounting principles.\n\nOur consideration of internal control over financial reporting resulted in identifYing certain deficiencies\nthat we consider to be significant deficiencies, as defined in the Internal Control Over Financial Reporting\nSection of this report, as follows:\n\n        Improvement Needed in Information Technology Security Controls\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be\nmaterial weaknesses as defined in the Internal Control Over Financial Reporting Section of this report.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed one instance of noncompliance and one other matter that are required to be reported\nunder Government Auditing Standards, issued by the Comptroller General of the United States, and Office\nof Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial\nStatements, as amended.\n\n        Noncompliance with the Debt Collection Improvement Act ofI 996\n\nThe following sections discuss our opinion on the SBA\'s consolidated financial statements; our\nconsideration of the SBA\'s internal control over financial reporting; our tests of the SBA\'s compliance\nwith certain provisions of applicable laws, regulations, contracts, and grant agreements; and management\'s\nand our responsibilities.\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of the SBA as of September 30, 2011 and\n2010, and the related consolidated statements of net cost and changes in net position, and the combined\nstatements of budgetary resources for the years then ended.\n\n\n                               KPMG LLP is a Delaware limiled liabliity parlnership,\n                               the U.S, member firm of KPMG Intemational Cooperative\n                               ("KPMG International\'). a Swiss entity.\n\x0cu.s. Small Business Administration\nNovember 14,2011\nPage 2 of 4\n\n\nIn our opmlOn, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of the SBA as of September 30, 2011 and 2010, and its net costs, changes in\nnet position, and budgetary resources for tbe years then ended, in conformity with U.S. generally accepted\naccounting principles.\n\nThe information in the Management\'s Discussion and Analysis, Required Supplementary Information, and\nRequired Supplement31Y Stewardship Information sections is not a required part of the consolidated\nfinancial statements, but is supplementary information required by U.S. generally accepted accounting\nprinciples. We have applied certain limited procedures, which consisted principally of inquiries of\nmanagement regarding the methods of measurement and presentation of this information. However, we did\nnot audit this information and, accordingly, we express no opinion on it.\n\nThe information in the Other Accompanying Information section is presented for purposes of additional\nanalysis and is not required as part of the consolidated financial statements. This information has not been\nsubjected to auditing procedures and, accordingly, we express no opinion on it.\n\nInternal Control Over Financial Reporting\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent, or\ndetect and correct, misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of\ntbe entity\'s financial statements will not be prevented, or detected and corrected, on a timely basis.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\nResponsibilities Section of this report and was not designed to identify all deficiencies in internal control\nover financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. In our\nFY 2011 audit, we did not identify any deficiencies in internal control over financial reporting that we\nconsider to be material weaknesses, as defined above. However, we identified a deficiency in internal\ncontrol over financial reporting described in Exhibit I that we consider to be significant deficiency in\ninternal control over financial reporting. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe th311 a material weakness, yet important enough to merit\nattention by those charged with governance.\n\nExhibit II presents the status of the prior year significant deficiency.\n\nWe noted certain additional matters that we have reported to management of the SBA in a separate letter\ndated November 14,2011.\n\nCompliance and Other Matters\nThe results of certain of our tests of compliance as described in the Responsibilities Section of this report,\nexclusive of those referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA),\ndisclosed one instance of noncompliance and one other matter that are required to be reported herein under\nGovernment Auditing Standards or OMB Bulletin No. 07-04, and are described below.\n\nDebt Collection Improvement Act of 1996 (DCIA). During our testwork over loan charge-offs, we noted\nthe SBA did not refer obligors to the U.S. Department of Treasury (Treasury) for offset or cross-servicing,\nin accordance with DeIA. Specifically, we noted the SBA did not refer obligors (eligible principal\nborrowers, co-borrowers, and/or guarantors) associated with 504 delinquent Disaster Assistance loans to\nthe Treasury for offset or cross-servicing at time of charge-off. We also noted in the 7(a), 504, and Disaster\nprograms more than 5,000 eligible co-borrowers and guarantors were not referred for offset or cross\xc2\xad\n\x0cu.s. Small Business Administration\nNovember 14, 2011\nPage 3 of4\n\n\nservicing, in conjunction with the principal borrower at time of loan charge-off. In both conditions, the\nobligors were not referred to the Treasury for collection during the period under review due to systemic\nproblems with the legacy mainframe system utilized by the SBA to facilitate the referral process.\nSpecifically, certain outdated system edits in the SBA\'s referral protocol prevented certain loans in\ncharged-off status from being transferred to the Treasury for collection. Also, programmers in the Office of\nthe Chief Information Officer modified the system code (referral protocol) but did not test the program\nchanges during the development phase prior to implementing the changes in production. We noted during\nthe fourth quarter of FY 2011 that the Office of the Chief Information Officer was in the process of\nimplementing actions to address these deficiencies which led to the noncompliance with the DCIA. Exhibit\nIII presents the status of the prior year noncompliance finding, which was also related to DCIA.\n\nThe results of our other tests of compliance as described in the Responsibilities Section of this report,\nexclusive of those referred to in FFMIA, disclosed no instances of noncompliance and one other matter that\nis required to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04.\n\nA matter has been identified that may be a violation of the Federal Acquisition Regulation documentation\nretention requirements. This matter is currently under review by SBA management and the Office of\nInspector General. The outcome of this matter is not presently known.\n\nThe results of our tests of FFMIA disclosed no instances in which the SBA\'s financial management\nsystems did not substantially comply with the (1) Federal financial management systems requirements, (2)\napplicable Federal accounting standards, and (3) the United States Goverrunent Standard General Ledger at\nthe transaction level.\n\n                                                *******\nResponsibilities\nManagement\'s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control; and complying with laws, regulations, contracts,\nand grant agreements applicable to the SBA.\n\nAuditors\' Responsibilities. Our responsibility is to express an op1111On on the FY 2011 and 2010\nconsolidated financial statements of the SBA based on our audits. We conducted our audits in accordance\nwith auditing standards generally accepted in the United States of America; the standards applicable to\nfinancial audits contained in Government Auditing Standards, issued by the Comptroller General of the\nUnited States; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we\nplan and perform the audits to obtain reasonable assurance about whether the consolidated financial\nstatements are free of material misstatement. An audit includes consideration of internal control over\nfinancial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but\nnot for the purpose of expressing an opinion on the effectiveness of the SBA\'s internal control over\nfinancial reporting. Accordingly, we express no such opinion.\n\nAn audit also includes:\n\n\xe2\x80\xa2\t    Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2\t    Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2\t    Evaluating the overall consolidated financial statement presentation.\nWe believe that our audits provide a reasonable basis for our opinion.\n\x0cu.s. Small Business Administration\nNovember 14, 20 II\nPage 4 of 4\n\n\nIn planning and performing our FY 20 II audit, we considered the SBA\' s internal control over financial\nreporting by obtaining an understanding of the SBA\'s internal control, determining whether internal\ncontrols had been placed in operation, assessing control risk, and performing tests of controls as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of the SBA\'s internal\ncontrol over financial reporting. Accordingly, we do not express an opinion on the effectiveness of the\nSBA\'s internal control over financial reporting. We did not test all controls relevant to operating objectives\nas broadly defined by the Federal Managers\' Financial Integrity Act of1982.\n\nAs part of obtaining reasonable assurance about whether the SBA\' s FY 20 II consolidated financial\nstatements are free of material misstatement, we performed tests of the SBA\'s compliance with certain\nprovisions of laws, regulations, contracts, and grant agreements, noncompliance with which could have a\ndirect and material effect on the determination of the consolidated financial statement amounts, and certain\nprovisions of other laws and regulations specified in OMB Bulletin No. 07-04, including the provisions\nreferred to in Section 803(a) of FFMlA. We limited our tests of compliance to the provisions described in\nthe preceding sentence, and we did not test compliance with all laws, regulations, contracts, and grant\nagreements applicable to the SBA. However, providing an opinion on compliance with laws, regulations,\ncontracts, and grant agreements was not an objective of our audit and, accordingly, we do not express such\nan opinion.\n\n\n\nSBA\'s response to the findings identified in our audit is presented in Exhibit IV. We did not audit SBA\'s\nresponse and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of SBA\'s management, SBA\'s Office of\nInspector General, OMB, the U.S. Government Accountability Office, and the U.S. Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nNovember 14,2011\n\x0c                                                                                                    Exhibit I\n                                   u.s. Small Business Administration\n                                           Significant Deficiency\n\n\nThe significant deficiency identified for the year ended Septemher 30, 2011, is summarized below:\n\nImprovement Needed in Information Technology Security Controls\n\nDuring the Fiscal Year (FY) 2010 financial statement audit, we identified 20 information technology (IT)\ncontrol findings and recommended many corresponding corrective actions. During the FY 2011 financial\nstatement audit, we found that the U.S. Small Business Administration (SBA) implemented corrective\nactions to substantially remediate 10 of the 20 findings; however, we also identified 8 new IT control\nfindings. Therefore, SBA\'s IT control enviromnent continues to require improvement. The FY 2011 IT\ncontrol deficiencies fall within the control areas of security access, including configuration and patch\nmanagement, segregation of duties, and contingency planning. We are not providing details in this repmi\non the specific deficiencies due to sensitivity considerations, but we have provided the details in a separate\nreport to SBA management. Exhibit II of our report discloses the status of prior year IT findings.\n\nSecurity Access Controls.\n\nIntegral to an organization\'s security program management efforts, system security access controls should\nprovide reasonable assurance that IT resources, such as data files, application programs, and IT-related\nfacilities/equipment, are protected against unauthorized modification, disclosure, loss, or impairment.\n\nA summary of the security access control deficiencies we identified during the FY 20 I I SBA financial\nstatement audit follows:\n\xe2\x80\xa2 \t We identified several high- and medium-risk security vulnerabilities affecting various financial\n    systems. We provided the detailed vulnerabilities to SBA management.\n\xe2\x80\xa2 \t We identified weaknesses in network access controls and one financial system.\n\xe2\x80\xa2 \t SBA was unable to provide evidence that security incidents are analyzed, validated, and resolved.\n\xe2\x80\xa2 \t Physical access control procedures can be improved for a financial system hosted by an SBA service\n    provider. In addition, access to the service provider data center can be improved.\n\xe2\x80\xa2 \t Several users have unnecessary access to one SBA financial subsystem.\n\xe2\x80\xa2 \t User accounts are not reviewed in accordance with SBA policy for five of the seven systems we\n    reviewed.\n\xe2\x80\xa2 \t There are weak controls over the monitoring and review of audit logs for two of the seven systems we\n    reviewed.\n\nRecommendation - Security Access Controls:\n\nWe recommend that the Chieflnformation Officer (CIa) coordinate with SBA program offices to:\n\n1. \t Enhance security vulnerability management processes. Specifically, SBA should: (a) redistribute\n    procedures and train employees on the process for reviewing and mitigating security vulnerabilities,\n    (b) periodically monitor the existence of unneceSSaIY services and protocols running on their servers\n    aIld network devices, (c) perform vulnerability assessments with administrative credentials and\n    penetration tests on all SBA offices from a centrally managed location with a standardized reporting\n\n                                                     I-I \n\n\x0c                                                                                                       Exhibit I\n                                   U.S. Small Busiuess Administration\n                                           Significant Deficiency\n\n\n    mechanism that allows for trending, on a regularly scheduled basis in accordance with National\n    Institute of Standards and Technology (NIST) guidance, (d) develop a more thorough approach to track\n    and mitigate configuration management vulnerabilities identified during monthly scans, and (e)\n    monitor security vulnerability repOlts for necessary or required configuration changes to their\n    environment.\n2. \t Update the vulnerability assessment team (V AT) procedures, to include: (a) updating the VAT policies\n     and procedures in accordance with NIST, (b) performing technical reviews of the results for critical\n     issues that need immediate action and take timely corrective action, (c) executing procedures to\n     monitor the completion of the patch management deployment across the SBA enterprise, and (d)\n     prioritizing vulnerabilities as part of the ongoing continuous monitoring process.\n3. \t Prevent users from anonymously connecting unauthorized devices by developing and implementing\n     procedures to ensure mandatory domain authentication for Internet Protocol (IP) address issuance.\n4. \t Ensure users\' access rights are authorized prior to gaining access to financial systems.\n5. \t Fully implement the SBA entity wide incident management and response program and ensure that\n     procedures are enforced.\n6. \t Ensure that information systems hosted by third parties comply with SBA policy and NIST guidance.\n7. \t Develop and implement procedures for user access reviews to ensure that proper access rights are set\n     for financial subsystems.\n8. \t Oversee the review and validation of financial system accounts on a quarterly basis.\n9. \t Implement a process to monitor the audit logs of all financial applications on a regular basis.\n\nSegregation ofDuties\n\nThe primary focus of an organization\'s segregation of duties controls is to provide reasonable assurance\nthat incompatible duties are effectively segregated. Witho.ut such controls, there is a risk that unauthorized\nchanges could be implemented into the IT environment, and users may have access that is inappropriate for\ntheir duties. As a result, the confidentiality, integrity, and availability of financial data are at risk of\npossible loss, modification, or disclosure.\nA summary of the segregation of duties control deficiencies we identified during the FY 2011 SBA\nfinancial statement audit follows:\n\n\xe2\x80\xa2 \t An authorized user had conflicting access rights in a key financial system.\n\xe2\x80\xa2 \t Six users were authorized with rights as a database administrator (DBA) and system administrator to a\n    financial application hosted by a SBA service provider.\n\nRecommendations - Segregation of Duties:\n\nWe recommend the CIO coordinate with the Chief Financial Officer (CFO) to:\n\n10. \tRestrict access to software program libraries based on the principle of least privilege, and implement\n     compensating controls over actions where limited resources cause individuals to perfonn conflicting\n     job functions.\n                                                    1-2\n\x0c                                                                                                   Exhibit I\n                                   U.S. Small Business Administration\n                                          Significant Deficiency\n\n\n11. \tEnsure that DBA and system administrator access is restricted through role-based segregation of duties\n     and managed through an effective audit log review process.\n\nSecurity Management\nAn entity-wide information security management program is the foundation of a security control structure\nand a reflection of senior management\'s commitment to addressing security risks. This security\nmanagement program should establish a framework and continuous cycle of activity for assessing risk,\ndeveloping and implementing effective security procedures, and monitorif,lg the effectiveness of these\nprocedures. During the FY 2011 SBA financial statement audit, we found that a mandatory training\nprogram for IT security personnel has not been implemented.\nRecommendations - Security Management:\n\nWe recommend the CIO:\n\n12. \tDevelop a comprehensive security education and training program for all IT security personnel and a\n     method for monitoring the training program.\n\nSoftware Configuration Management\nThe primary focus of an organization\'s software configuration management process is to control the\nsoftware changes made to networks and systems. Without such controls, there is a risk that security\nfeatures could be inadvertently, or deliberately, omitted or turned off, or that processing irregularities or\nmalicious code could be introduced into the IT environment.\n\nA summary of the configuration management deficiencies we identified during the FY 20 II SBA financial\nstatement audit follows:\n\n\xe2\x80\xa2 \t The configuration management process is not centralized, and the Enterprise Change Control Board\n    governance processes are not fully implemented across SBA.\n\xe2\x80\xa2 \t SBA pers0lll1el could not provide sufficient evidence to support software change authorizations for one\n    financial system.\n\xe2\x80\xa2 \t For one financial subsystem, loan charge-off software changes were not tested before being moved to\n    production, which impacted the SBA\'s compliance with the Debt Collection Improvement Act of 1996\n    (DCIA). Note that these issues were reported as a noncompliance with the DCIA in the Compliance\n    and Other Matters section of our audit report.\n\nRecommendations - Software Configuration Management:\n\nWe recommend the CIO:\n\n13. \tEnforce an organization-wide configuration management process, to include policies and procedures\n     for maintaining documentation that supports testing and approvals of software changes.\n\nWe recommend the CIO coordinate with the CFO to:\n\n\n                                                    1-3 \n\n\x0c                                                                                                    Exhibit I\n                                   U.S. Small Business Administration\n                                            Significant Deficiency\n\n\n14. \tImplement configuration management policies and procedures for document retention to include\n     supporting evidence to validate the authorization of operating system changes.\n\nContingency Planning\nThe focus of an organization\'s contingency plmming progrrun should provide reasonable assurance that\ninfonnation resources m\xc2\xb7e protected and the risk of unplrumed interruptions is minimized. Without such\ncontrols, there is a risk that data may be lost or that critical operations may not resume in a timely manner.\n\nA summary of the contingency planning weaknesses we identified during the FY 2011 SBA financial\nstatement audit follows:\n\n\xe2\x80\xa2 \t Backup tapes necessary to restore system operations are not consistently rotated off-site for fonr of the\n    seven systems we reviewed.\n\xe2\x80\xa2 \t Comprehensive contingency and disaster recovery plans have not been developed, anthorized, nor\n    tested for three of the seven systems reviewed. Additionally, we noted that two financial systems and\n    the Headquarters (HQ) Continuity of Operations Plan (COOP) were in place; however, the plans were\n    not tested on a semiannual hasis as prescribed by SBA policy.\n\nRecommendations - Contingency Planning: \n\n\nWe recommend the CIO: \n\n\n1-5. Enforce eXisting SBA policies to rotate backups off-site. \n\n\nWe recommend the CIO coordinate with the CFO to: \n\n\n16. \tCreate, implement, and test system specific and the HQ COOP. \n\n\n\n\n\n                                                     1-4 \n\n\x0c                                                                                                     Exhibit II\n                                 U.S. Small Busiuess Admiuistration\n                               Status of Prior Year Significant Deficiency\n\n\nFiscal Year 2010 Finding                               Fiscal Year 2011 Status of Finding\n\nImprovement Needed in Information Technology (IT)      During our review of SBA\'s IT general and application\nSecurity Controls                                      controls, we noted some improvements made to\n                                                       address prior year findings. However, control\n                                                       deficiencies continue to exist.\n\n                                                       Therefore, in Fiscal Year (FY) 20 11, the issue is again\n                                                       presented in Exhibit l. The issue was modified to\n                                                       reflect current year operations, and we continue to\n                                                       report a significant deficiency in internal controls as it\n                                                       relates to IT systems and the associated impact on the\n                                                       consolidated financial statements.\n\n\n\n\n                                                    II-I \n\n\x0c                                                                                                    Exhibit III\n                                    U.S. Small Business Administratiou\n                                     Status of Prior Year Noncompliance\n\n\nFiscal Year 2010 Fiudiug                                 Fiscal Year 2011 Status of Finding\n\nDebt Collection Improvement Act of1996 (DCJA)            During our review over SBA\'s compliance with the\n                                                         DCJA, we noted improvements made in SBA\'s\nDuring our Fiscal Year (FY) 2010 audit, we noted the     Treasury cross-servicing refelTaI process. However,\nagency was noncompliant with the DCJA. The               during FY 20 II, we noted instances of noncompliance\nnoncompliance was due to instances where SBA did         related to timely referrals of loan charge-offs to\nnot refer a substantial number of charged-off disaster   Treasury for offset and cross-servicing.\nloans to Treasury for cross-servicing.\n                                                         Therefore, in FY 20 ll, the issue is again presented in\n                                                         the Compliance and Other Matters section of our\n                                                         Independent Auditors\' Report.\n\n\n\n\n                                                     Ill-I\n\x0c                                                                                         Exhibit IV\n\n\n\n\nCFO Response to Draft Audit Report on FY 2011 Financial Statements\n\n\nDATE:           November 14, 2011\n\nTO:            John Needham, Assistant IG for Auditing\n\nFROM:           Jonathan Carver, Chief Financial Officer\n\nSUBJECT:        Draft Audit Report on FY 2011 Financial State\n\nTh" Small Business Administration is in receipt of the draft Independent Audttors\' Report from\nKPMG that includes the audnor\'s opinion on the financial statements and its review of the\nAgency\'s intemal\'control over financial reporting and compliance with laws and regUlations. The\nindependent audit of the Agency\'s fin\'ancial statements and related processes is a core\ncomponent of SBA\'s financial management program.\n\nWe are delighted that the SBA has again received an unqualified audit opinion from the\nindependent auditor with no reported material weaknesses. We believe these results accurately\nreflect the quaHty of the Agency\'s financial statements and our improved accounting, budgeting\nand reporting processes. As you know, the SBA has worked hard in past years to address the\nfindings from our independent auditors. Our core financial reporting data and processes have\nimproved substantially, and we are proud that the results of our efforts have been confirmed by\nthe independent auditor.\n\nThe audit report includes a continuing significant deficiency in SBA\'s information technology\ncontrols. As the auditor noted in its report on the 2011 financial statements, the SBA\nimplemented corrective action this year to substantially remediate 10 of the 20 prior year IT\ncontrol findings. The auditor, however, identified 8 new IT findings this year. The SBA will\ncontinue to improve the Agency\'s IT security during the upcoming fiscal year. The SBA will\ncontinue to track, monitor, and aggressively mitigate vulnerabilities in all Agency systems.\nFurthenmore, the SBA will continue its work to clarify and strengthen detailed procedures required\nto ensure security access controls are in place to protect SBA data from unauthorized\nmodification, disclosure, and loss.\n\nThe auditor reporied again this year that SBA Is not compliant with the Debt Collection\nImprovement Act of 1996 in the non referral of delinquent and charged off loans to the\nDepartment of the Treasury for its tax refund offset and collection programs. Although the SBA\nmade improvements to correct systemic errors identified last year, the auditor again found\ninstances of charged off Disaster loans and eligible Business loan co-borrowers and guarantors\nthat were not referred to Treasury. Research by SBA identified the\'systemic issues that caused\nthis finding and they were rectified this year. In addition, the SBA is currently migrating its\nTreasury referral system to a new platfonm in FY 2012.\n\n During the audit, the auditor identified a potential non compliance with Federal Acquisition\n Regulation requirements for document retention. The SBA had previously recognized the need\n for improvement to its acquisition process and has taken action to reorganize and improve it~\n processes conceming the acquisition of goods and services. Furthermore, procurement actions\n during the current year have been conducted in accordance with FAR requirements including file\n documentation, and the SBA is now working to review and fully document prior year procurement\n files.\n\n We appreciate all of your efforts and those of your colleagues in the Office of the Inspector\n General as well as those of KPMG. The Independent audit process continues to provide us with\n new insights and valuable recommendations that will further enhance SBA\'s financial\n\x0cmanagement practices, We continue to be committed to excellence in finanei",1 management and\nlook forward to making more progress in the coming year.\n\n\n\n\n                                                  2\n\n\x0c'